pool/pam_mount
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_mount?expand=0&rev=10

Browse Source
This commit is contained in:
OBS User unknown 2008-04-03 23:39:34 +00:00 committed by Git OBS Bridge
parent c5d11fc1d1
commit a08aaabac8
6 changed files with 354 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pam_mount-0.18-umount-home-dir.dif
View File

@ -23,15 +23,6 @@ Index: scripts/umount.crypt
for ((x = 5; x >= 0; --x)); do
fuser -m "$1" || break;
@@ -72,7 +83,7 @@ fi
# Check for LUKS
#
-if cryptsetup isLuks "$DEVICE" 2>/dev/null; then
+if cryptsetup isLuks "$REALDEVICE" 2>/dev/null; then
cryptsetup luksClose "$DMDEVICE";
else
cryptsetup remove "$DMDEVICE";
@@ -90,3 +101,12 @@ if echo "$REALDEVICE" | grep ^/dev/loop
exit 1
fi

3
pam_mount-0.29.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a36f7493563cf2b4f9b801d830ae084d380af174e28efce9ee3cdda710fbe1fd
size 292007

290
pam_mount-0.32-post.dif Normal file
View File

@ -0,0 +1,290 @@
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/doc/pam_mount.8 new/pam_mount-0.33/doc/pam_mount.8
--- old/pam_mount-0.32/doc/pam_mount.8 2007-09-09 14:10:23.000000000 +0200
+++ new/pam_mount-0.33/doc/pam_mount.8 2008-02-06 00:46:20.000000000 +0100
@@ -24,9 +24,8 @@
in an automount/supermount config file. This is also necessary for securing
encrypted filesystems.
.PP
-pam_mount "understands" SMB, NCP, and any type of filesystem that can be
-mounted using the standard mount command. If someone has a particular need for
-a different filesystem, feel free to ask me to include it and send me patches.
+pam_mount can mount any filesystem the kernel supports, and has supports the
+userspace helpers for SMB, CIFS, NCP, davfs, FUSE, and crypto mounts.
.PP
If you intend to use pam_mount to protect volumes on your computer using an
encrypted filesystem system, please know that there are many other issues you
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/doc/pam_mount.txt new/pam_mount-0.33/doc/pam_mount.txt
--- old/pam_mount-0.32/doc/pam_mount.txt 2007-09-09 14:10:23.000000000 +0200
+++ new/pam_mount-0.33/doc/pam_mount.txt 2008-02-06 00:46:20.000000000 +0100
@@ -27,26 +27,25 @@
remote volume in /etc/fstab or in an automount/supermount config
file. This is also necessary for securing encrypted filesystems.
- pam_mount "understands" SMB, NCP, and any type of filesystem that can
- be mounted using the standard mount command. If someone has a particu
- lar need for a different filesystem, feel free to ask me to include it
- and send me patches.
-
- If you intend to use pam_mount to protect volumes on your computer
- using an encrypted filesystem system, please know that there are many
- other issues you need to consider in order to protect your data. For
- example, you probably want to disable or encrypt your swap partition
+ pam_mount can mount any filesystem the kernel supports, and has sup
+ ports the userspace helpers for SMB, CIFS, NCP, davfs, FUSE, and crypto
+ mounts.
+
+ If you intend to use pam_mount to protect volumes on your computer
+ using an encrypted filesystem system, please know that there are many
+ other issues you need to consider in order to protect your data. For
+ example, you probably want to disable or encrypt your swap partition
(the cryptoswap can help you do this). Do not assume a system is secure
without carefully considering potential threats.
NASTY DETAILS
- The primary configuration file for the pam_mount module is
- pam_mount.conf.xml. On most platforms this file is read from
- /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con
- figuration file from /etc/pam_mount.conf.xml. pam_mount.conf.xml con
+ The primary configuration file for the pam_mount module is
+ pam_mount.conf.xml. On most platforms this file is read from
+ /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con
+ figuration file from /etc/pam_mount.conf.xml. pam_mount.conf.xml con
tains many comments documenting its use.
- In addition, you must include two entries in the system's applicable
+ In addition, you must include two entries in the system's applicable
/etc/pam.d/SERVICE config files, as the following example shows:
auth required pam_securetty.so
@@ -61,14 +60,14 @@
+++ session optional pam_mount.so
When "sufficient" is used in the second column, you must make sure that
- pam_mount is added before this entry. Otherwise pam_mount will not get
- executed should a previous PAM module succeed. Also be aware of the
- "include" statements. These make PAM look into the specified file. If
+ pam_mount is added before this entry. Otherwise pam_mount will not get
+ executed should a previous PAM module succeed. Also be aware of the
+ "include" statements. These make PAM look into the specified file. If
there is a "sufficient" statement, then the pam_mount entry must either
be in the included file before the "sufficient" statement or before the
"include" statement.
- If you use pam_ldap, pam_winbind, or any other authentication services
+ If you use pam_ldap, pam_winbind, or any other authentication services
that make use of PAM's sufficient keyword then model your configuration
on the following:
@@ -81,17 +80,17 @@
This allows the following:
- 1. pam_mount will prompt for a password and export it to the PAM sys
+ 1. pam_mount will prompt for a password and export it to the PAM sys
tem.
- 2. pam_ldap will use the password from the PAM system to try and
+ 2. pam_ldap will use the password from the PAM system to try and
authenticate the user. If this succedes, the user will be authenti
cated. If it fails, pam_unix will try to authenticate.
- 3. pam_unix will try to authenticate the user if pam_ldap fails. If
+ 3. pam_unix will try to authenticate the user if pam_ldap fails. If
pam_unix fails, then the authentication will be refused.
- Alternatively, the following is possible (thanks to Andrew Morgan for
+ Alternatively, the following is possible (thanks to Andrew Morgan for
the hint!):
auth [success=2 default=ignore] pam_unix2.so
@@ -99,20 +98,20 @@
auth requisite pam_deny.so
auth optional pam_mount.so use_first_pass
- It may seem odd, but the first three lines will make it so that at
- least one of pam_unix2 or pam_ldap has to succeed. As you can see,
- pam_mount will be run after successful authentification with theses
+ It may seem odd, but the first three lines will make it so that at
+ least one of pam_unix2 or pam_ldap has to succeed. As you can see,
+ pam_mount will be run after successful authentification with theses
subsystems.
- If your volume has a different password than your system account, then
- encrypt the password to the volume you wish mounted using your system
- password as the key and store it somewhere on your system's local
+ If your volume has a different password than your system account, then
+ encrypt the password to the volume you wish mounted using your system
+ password as the key and store it somewhere on your system's local
filesystem. pam_mount supports transparently decrypting this filesystem
key, as long as the cipher used is supported by openssl. Given:
sk system key, the key or password used to log into the system
- fsk filesystem key, the key that allows you to use the filesystem
+ fsk filesystem key, the key that allows you to use the filesystem
you wish pam_mount to mount for you
E and D
@@ -121,48 +120,48 @@
efsk encrypted filesystem key, efsk = E_sk (fsk), stored somewhere on
the local filesystem (ie: /home/user.key)
- pam_mount will read efsk from the local filesystem, perform fsk = D_sk
- (efsk) and use fsk to mount the filesystem. If you change your system
- password, simply regenerate efsk using efsk = E_sk (fsk). If you want
- to mount this volume by hand, use something like openssl enc -d
- -aes-256-ecb -in /home/user.key | mount -p0 /home/user. More informa
+ pam_mount will read efsk from the local filesystem, perform fsk = D_sk
+ (efsk) and use fsk to mount the filesystem. If you change your system
+ password, simply regenerate efsk using efsk = E_sk (fsk). If you want
+ to mount this volume by hand, use something like openssl enc -d
+ -aes-256-ecb -in /home/user.key | mount -p0 /home/user. More informa
tion about this technique is included in pam_mount.conf.xml.
- A script named mkehd is provided with pam_mount to help create
- encrypted home directories. If you have an entry for a user using
- encrypted home directories in pam_mount.conf.xml, mkehd will create
+ A script named mkehd is provided with pam_mount to help create
+ encrypted home directories. If you have an entry for a user using
+ encrypted home directories in pam_mount.conf.xml, mkehd will create
necessary filesystem images and possibly encrypted filesystem keys.
- Individual users may define additional volumes to mount if allowed by
- pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword
+ Individual users may define additional volumes to mount if allowed by
+ pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword
is the only valid keyword in these per-user configuration files. If the
luserconf parameter is set in pam_mount.conf.xml, allowing user-defined
- volume, then users may mount and unmount any volume they own at any
- mount point they own. On some filesystem configurations this may be a
- security flaw so user-defined volumes are not allowed by the example
+ volume, then users may mount and unmount any volume they own at any
+ mount point they own. On some filesystem configurations this may be a
+ security flaw so user-defined volumes are not allowed by the example
pam_mount.conf.xml distributed with pam_mount.
- In general, you will leave all the first (general) parameters as pro
- vided by default. You only have to provide the user/volume list in the
+ In general, you will leave all the first (general) parameters as pro
+ vided by default. You only have to provide the user/volume list in the
end of the file, following the examples.
- To ensure that your system and, possibly, the remote server are all
+ To ensure that your system and, possibly, the remote server are all
properly configured, you should try to mount all or some of the volumes
by hand, using the same commands and mount points provided in
pam_mount.conf.xml. This will save you a lot of grief, since it is more
difficult to debug the mounting process via pam_mount.
- If you can mount the volumes by hand but it is not happening via
- pam_mount, you may want to enable the "debug" option in
+ If you can mount the volumes by hand but it is not happening via
+ pam_mount, you may want to enable the "debug" option in
pam_mount.conf.xml to see what is happening.
- Verify if the user owns the mount point and has sufficient permissions
- over that. pam_mount will verify this and will refuse to mount the
+ Verify if the user owns the mount point and has sufficient permissions
+ over that. pam_mount will verify this and will refuse to mount the
remote volume if the user does not own that directory.
- If pam_mount is having trouble unmounting volumes upon logging out,
- enable the debug variable and check the lsof variable in
- pam_mount.conf.xml. This causes pam_mount to run lsof upon logging out
+ If pam_mount is having trouble unmounting volumes upon logging out,
+ enable the debug variable and check the lsof variable in
+ pam_mount.conf.xml. This causes pam_mount to run lsof upon logging out
and write lsof's output to the system's logs.
AUTHORS
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/Makefile.am new/pam_mount-0.33/Makefile.am
--- old/pam_mount-0.32/Makefile.am 2007-09-26 18:36:28.000000000 +0200
+++ new/pam_mount-0.33/Makefile.am 2008-02-06 00:46:20.000000000 +0100
@@ -23,3 +23,6 @@
AUTOMAKE_OPTIONS = foreign subdir-objects
SUBDIRS = config doc scripts src
+
+install-data-hook:
+ mkdir -p ${DESTDIR}${localstatedir}/run/pam_mount;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/scripts/mount.crypt new/pam_mount-0.33/scripts/mount.crypt
--- old/pam_mount-0.32/scripts/mount.crypt 2007-10-20 16:57:03.000000000 +0200
+++ new/pam_mount-0.33/scripts/mount.crypt 2008-02-06 00:46:20.000000000 +0100
@@ -111,7 +111,7 @@
(keyfile)
keyfile="$VAL";;
(loop)
- if ! losetup "$DEVICE" &>/dev/null; then
+ if [ "`stat --format=\"%t\" \"$DEVICE\"`" == 7 ]; then
LOOP="true";
fi;
;;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/mount.c new/pam_mount-0.33/src/mount.c
--- old/pam_mount-0.32/src/mount.c 2007-12-06 23:05:08.000000000 +0100
+++ new/pam_mount-0.33/src/mount.c 2008-02-06 02:13:15.000000000 +0100
@@ -397,6 +397,13 @@
}
hmc_strcat(&ret, ",");
}
+
+ if (*ret != '\0')
+ /*
+ * When string is not empty, there is always at least one
+ * comma -- nuke it. */
+ ret[hmc_length(ret)-1] = '\0';
+
return ret;
}
static void log_pm_input(const struct config *const config,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/pam_mount.c new/pam_mount-0.33/src/pam_mount.c
--- old/pam_mount-0.32/src/pam_mount.c 2007-12-01 13:34:59.000000000 +0100
+++ new/pam_mount-0.33/src/pam_mount.c 2008-02-06 00:45:50.000000000 +0100
@@ -96,8 +96,10 @@
Args.auth_type = SOFT_TRY_PASS;
else if (strcmp("nullok", argv[i]) == 0)
Args.nullok = true;
+ else if (strcmp("debug", argv[i]) == 0)
+ Debug = true;
else
- w4rn("bad pam_mount option\n");
+ w4rn("bad pam_mount option \"%s\"\n", argv[i]);
}
return;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/rdconf1.c new/pam_mount-0.33/src/rdconf1.c
--- old/pam_mount-0.32/src/rdconf1.c 2007-12-06 23:05:08.000000000 +0100
+++ new/pam_mount-0.33/src/rdconf1.c 2008-02-06 00:45:50.000000000 +0100
@@ -727,9 +727,13 @@
}
/* realloc */
- config->volume = xrealloc(config->volume,
- sizeof(struct vol) * (config->volcount + 1));
- vpt = &config->volume[config->volcount++];
+ vpt = xrealloc(config->volume, sizeof(struct vol) *
+ (config->volcount + 1));
+ if (vpt == NULL)
+ return strerror(errno);
+
+ config->volume = vpt;
+ vpt = &config->volume[config->volcount];
memset(vpt, 0, sizeof(*vpt));
vpt->globalconf = config->level == CONTEXT_GLOBAL;
@@ -737,6 +741,8 @@
vpt->type = CMD_LCLMOUNT;
vpt->options = HXbtree_init(HXBT_MAP | HXBT_CKEY | HXBT_CDATA |
HXBT_SCMP | HXBT_CID);
+ if (vpt->options == NULL)
+ return strerror(errno);
/* [1] */
strncpy(vpt->fstype, attr->fstype, sizeof(vpt->fstype));
@@ -793,6 +799,7 @@
/* expandconfig() will set this later */
vpt->used_wildcard = 0;
+ ++config->volcount;
return NULL;
notforme:

3
pam_mount-0.32.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:780028b58dbdbe40b035863635fc3ac56f882980d1bda55a234d5c4e5ce4ad60
size 300527

17
pam_mount.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Wed Apr 2 18:02:12 CEST 2008 - mc@suse.de
- update to version 0.32
- notify about unknown options in /etc/pam.d/*
- support "debug" option for pam_mount in /etc/pam.d/*
- mount.crypt: detect loop devices by major number
- Fixed parsing of old-style pam_mount.conf with spaces in group names,
copy-and-paste typos and a missing return value. Added workaround for
CIFS volumes within NFS mounts with "root_squash" option.
- allow --keyfile to be used for non-LUKS too
- luksClose is the same as Remove (in umount.crypt)
- convert "local" fstype entries from old configuration format correctly.
- fixed parsing of old pam_mount.conf with spaces in group names
- fixed: When no volumes were to be mounted, return value
was not PAM_SUCCESS.
-------------------------------------------------------------------
Mon Oct 8 13:47:45 CEST 2007 - mc@suse.de

70
pam_mount.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package pam_mount (Version 0.29)
# spec file for package pam_mount (Version 0.32)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@ -10,17 +10,19 @@
# norootforbuild
Name: pam_mount
BuildRequires: glib2-devel libHX10-devel libxml2-devel openssl-devel pam-devel perl-XML-Writer zlib-devel
Summary: A PAM Module that can Mount Volumes for a User Session
Version: 0.29
Version: 0.32
Release: 1
Requires: lsof coreutils util-linux
Requires: lsof util-linux
Recommends: cryptsetup
License: LGPL v2 or later
License: LGPL v2.1 or later
Prefix: /usr
Group: System/Libraries
Source: %{name}-%{version}.tar.bz2
Patch0: pam_mount-0.32-post.dif
Patch1: pam_mount-0.18-umount-home-dir.dif
Patch2: pam_mount-0.18-bump-max-par.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -58,6 +60,7 @@ include it and send me patches.
%prep
%setup -q
%patch0 -p2
%patch1
%patch2
@ -110,8 +113,23 @@ rm -rf $RPM_BUILD_ROOT
%doc %{_mandir}/man8/passwdehd.8.gz
%doc %{_mandir}/man8/pmvarrun.8.gz
%doc %{_mandir}/man8/umount.crypt.8.gz
%changelog
* Mon Oct 08 2007 - mc@suse.de
* Wed Apr 02 2008 mc@suse.de
- update to version 0.32
- notify about unknown options in /etc/pam.d/*
- support "debug" option for pam_mount in /etc/pam.d/*
- mount.crypt: detect loop devices by major number
- Fixed parsing of old-style pam_mount.conf with spaces in group names,
copy-and-paste typos and a missing return value. Added workaround for
CIFS volumes within NFS mounts with "root_squash" option.
- allow --keyfile to be used for non-LUKS too
- luksClose is the same as Remove (in umount.crypt)
- convert "local" fstype entries from old configuration format correctly.
- fixed parsing of old pam_mount.conf with spaces in group names
- fixed: When no volumes were to be mounted, return value
was not PAM_SUCCESS.
* Mon Oct 08 2007 mc@suse.de
- update to version 0.29
* pam_mount switched to an XML configuration.
* added truecrypt support
@ -122,56 +140,56 @@ rm -rf $RPM_BUILD_ROOT
* Implement the "soft_try_pass" option
* add "nullok" option
* --keyfile option added to mount.crypt
* Fri Sep 21 2007 - mc@suse.de
* Fri Sep 21 2007 mc@suse.de
- remove the loopdevice for the image too
[#326802]
* Thu Sep 20 2007 - mc@suse.de
* Thu Sep 20 2007 mc@suse.de
- add required dependencies [#326802]
* Wed Apr 04 2007 - crivera@suse.de
* Wed Apr 04 2007 crivera@suse.de
- Don't package mount_ehd, it's only for
OpenBSD. Fixes 256214.
* Thu Mar 29 2007 - mc@suse.de
* Thu Mar 29 2007 mc@suse.de
- add zlib-devel to BuildRequires
* Tue Mar 13 2007 - mc@suse.de
* Tue Mar 13 2007 mc@suse.de
- fix reference counting of pmvarrun app
[#252243]
* Tue Jan 23 2007 - mc@suse.de
* Tue Jan 23 2007 mc@suse.de
- fix umount encrypted homedirectories
[#237793]
* Thu Jan 18 2007 - mc@suse.de
* Thu Jan 18 2007 mc@suse.de
- disable debug
- increase MAX_PAR to be able to read longer keys
* Fri Jan 12 2007 - mc@suse.de
* Fri Jan 12 2007 mc@suse.de
- add patch to kill all remaining user processes before
unmounting crypted partition
(pam_mount-0.18-umount-home-dir.dif)
* Fri Dec 08 2006 - dgollub@suse.de
* Fri Dec 08 2006 dgollub@suse.de
- use UID of specified user for owner change of mount point
(pam_mount-chownuid-fix.diff)
* Tue Sep 12 2006 - mc@suse.de
* Tue Sep 12 2006 mc@suse.de
- Update to 0.18
* fixes memory corruptions, zero termination, segfaults
* A crash on x86_64 has been fixed. pam_mount now changes
to the root directory before attempting to (un)mount
* Mon Jul 31 2006 - kukuk@suse.de
* Mon Jul 31 2006 kukuk@suse.de
- Update to version 0.16
bugfix release
* Wed Jan 25 2006 - mls@suse.de
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Thu Dec 22 2005 - varkoly@suse.de
* Thu Dec 22 2005 varkoly@suse.de
- Update to version 0.10.0
* Mon Dec 19 2005 - ro@suse.de
* Mon Dec 19 2005 ro@suse.de
- added symlinks to package
* Mon Jul 11 2005 - schubi@suse.de
* Mon Jul 11 2005 schubi@suse.de
- Update to version 0.9.25
* Mon Apr 11 2005 - kukuk@suse.de
* Mon Apr 11 2005 kukuk@suse.de
- Update to version 0.9.22 [Bug #65110]
* Thu Jan 15 2004 - kukuk@suse.de
* Fri Jan 16 2004 kukuk@suse.de
- Build as user
- Add pam-devel to neededforbuild
* Mon Jan 12 2004 - kukuk@suse.de
* Mon Jan 12 2004 kukuk@suse.de
- Update to version 0.9.9
* Mon Oct 27 2003 - kukuk@suse.de
* Mon Oct 27 2003 kukuk@suse.de
- Update to version 0.9.6 [Bug #32216]
* Wed May 28 2003 - kukuk@suse.de
* Wed May 28 2003 kukuk@suse.de
- Initial package